Utworzenie requestu serwera (bez hasła dla klucza)
# openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out /etc/ssl/requests/h25.csr -keyout /etc/ssl/private/h25.pem -outform PEM
- wniosek /etc/ssl/requests/h25.csr
- klucz prywatny /etc/ssl/private/h25.pem
# openssl req -text -noout -verify -in /etc/ssl/requests/h25.csr
Podpisanie wniosku przez CA – dodać do pliku konfiguracyjnego 2 sekcje: [ signing_policy ] i [ signing_req ] – przy tworzeniu certyfikatu self-sign CA te sekcje i zmiany nie są wskazane.
#################################################################### [ signing_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ signing_req ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment
Podpisanie wniosku
# openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out newcerts/h25.pem -infiles requests/h25.csr
Using configuration from openssl-ca.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'PL' stateOrProvinceName :ASN.1 12:'Mazowieckie' localityName :ASN.1 12:'Warszawa' organizationName :ASN.1 12:'H25.pl' commonName :ASN.1 12:'h25.pl' Certificate is to be certified until Mar 4 07:10:54 2022 GMT (1095 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Weryfikacja certyfikatu
# openssl x509 -in newcerts/h25.pem -text -noout